Employees Cause Most Security Breaches, Yet Response Lags

How do you prevent a trusted insider from doing something dangerous, at least from an information security perspective?

On the list of security vulnerabilities, employees may be the most difficult problem to manage. Firewalls can be programmed to perfection and intrusion prevention systems perfectly calibrated, but when a trusted employee does something they shouldn’t, either accidentally or unknowingly (and perhaps in the service of an attacker, via a social-engineering attack), many IT security controls become irrelevant.

Experts disagree about the best way to address the security risk employees pose. One extreme favors rigorous user education, and perhaps blame, when users get it wrong. Another faction notes the poor state of security isn’t employees’ fault, and that until software and hardware vendors make out-of-the-box security effective and easy to use, information security departments will fight a losing battle.

Human Error Causes Most Breaches

Unfortunately, the employee-security problem is not just difficult to manage; it also causes considerable damage. Indeed, 574 recently surveyed IT professionals ascribed 60 percent of their company’s 2005 security breaches to human error, 20 percent to technical malfunctions, and the remainder to a combination of the two.

Those results come from a study commissioned by the Computing Technology Industry Association Inc. (CompTIA), a training and security certification, for the third year in a row. According to the survey results, “One of the constants found in this ongoing study has been that the bulk of security breaches are caused by some kind of internal human error.”

“The primary cause of security breaches—human error—is not being adequately addressed,” argues Brian McCarthy, CompTIA’s chief operating officer. “The person behind the PC continues to be the primary area where weaknesses are exposed.”

The operator-error problem is growing. In 2004, employees accounted for 47 percent of breaches, but by 2005 it was 60 percent. This increase comes despite increased use of security policies meant to corral malicious or accidental behavior that compromises security. For example, while only half of companies had written security policies in 2004, by last year 59 percent did.

The CompTIA study found two types of organizations are at especial risk from their employees: those with more than 7,000 employees, and educational institutions. The former group is generally aware of the risk, and much more likely to have a written security policy, and security training measures. The same is not true, however, for educational institutions, which according to the study “seem to be at least collectively more lax about the problem—they are less likely than others to have a written IT policy, much less likely than others to have some security training.”

Need an excuse to improve your company’s security? Point to this: the average financial impact of a security breach is $35,000, and according to the study, “Some organizations reported a financial impact above $50,000 for security breaches, showing that while a garden-variety breach may be little more than an inconvenience, the potential for serious harm is always present.”

Education Used Sparingly at Best

Education is one tool for improving employees’ habits, and 84 percent of companies with security awareness programs credit it with reducing breaches. Yet only one-third of companies have security training programs. While 11 percent plan to implement one soon, one-third of companies have no plans to implement such training at all.

Some existing security awareness training programs may also be inadequate. According to CompTIA, typical training sessions detail how to use e-mail, passwords, and Internet browsers safely, yet at 11 percent of companies, such training runs less than 30 minutes, and at 36 percent of companies, less than an hour.

Thus, while many organizations continue to invest in better security technology—from antivirus and anti-spyware to firewalls and intrusion prevention systems—educational efforts appear to lag. “As we get better from a technology standpoint, many organizations seem to believe that technology solutions alone are sufficient to turn back all attacks, and a level of complacency may be setting in,” says McCarthy. “No technology on its own can be completely successful without an equally strong commitment to information security awareness and training throughout every level of the organization.”

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.